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Foreword 

This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). 
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GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. 
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Foreword 



id , 



This Technical Specification has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

x the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



Historically, content such as books, music, games, and videos have been delivered on paper, magnetic tape, and disks. 
The technology required to digitally copy and redistribute this content on a large scale prohibited the secondary market 
from having much affect on revenues from content sales. With large decreases in the cost of technology, e.g. storage 
space and recordable digital media, and greater Internet bandwidth, services like Napster and Gnutella have sprung up 
to allow massive redistribution of music and similar content. At the same time, the absence of protection of rights 
associated with this kind of content in the digital environment has so far prevented the use of Internet as a distribution 
channel for valuable content. 

With the advent of faster wireless networks and increasingly capable user equipment, the mobile environment will soon 
become another avenue for distributing valuable content. This will require taking steps to establish a model for 
protecting the rights of the content providers when distributing digital content in the mobile environment. 

This specification defines the requirements for the support of digital rights management in the wireless network. The 
use cases defined in section 1 1 should be taken into account when defining a secure, consumer-friendly rights 
management system. 
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Scope 



This TS defines the stage one description for digital rights management. Stage one is the set of requirements that shall 
be supported to enable digital rights management, from content packaging to secure storage and rendering. 

This TS includes requirements applicable to the content authors and providers, UE and network manufacturers, which 
are sufficient to provide complete support of digital rights management. 

Additional functionalities not documented in this TS are considered outside the scope of this TS. Such additional 
functionality may be on a network-wide basis, nation-wide basis or particular to a group of users. Such additional 
functionality shall not compromise conformance to the requirements of the rights management system defined in this 
specification. 

Note: Stage 2 and Stage 3 requirements shall be adopted from the corresponding DRM specifications by OMA 
(Open Mobile Alliance). 



References 



The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] 3GPP TR 21.905: 3rd Generation Partnership Project; Technical Specification Group Services and 

System Aspects; Vocabulary for 3GPP Specifications 



3 Definitions, symbols and abbreviations 
3.1 Definitions 

Consumer 

User granted the right to access content. 

Content 

An image, a piece of music or a video, a book, an article, a game, an executable program or similar. Content 
may be delivered on its own (e.g. download or streaming of music), as part of some message (e.g. an image or 
music in an MMS or Email message), as part of some web content (e.g. an image in a web page), and so on. 
Content becomes DRM content once injected into the DRM system and governed by corresponding rights. 

Content Provider 

An entity (e.g. a web server or a carrier portal) that provides content to consumers. The content provider may 
itself be a rights holder, or may provide content on behalf of or with permission from a rights holder, and may 
at the same time assume the role of a rights issuer. 
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DRM System 



The collection of entities participating in producing and specifying DRM content and rights, and in upholding 
and enforcing the consumption of DRM content according to the rights, e.g., UEs, content providers. 

DRM Content 

Content that is subject to protection by the DRM system and that can only be rendered according to 
corresponding rights governing the DRM content. 

Render 

To provide a visual or audio representation of content, execute content, etc. 
Rights Holder 

An entity owning the intellectual property rights (e.g. copyright) to content. 

Rights Issuer 

An entity issuing rights specifying the usage of DRM content. The rights issuer may be a content provider 
and/or rights holder. 

Super distribution 

Redistribution of DRM content from a UE to one or more secondary recipients. Secondary recipients may, for 
example, receive a free sample as defined by the usage rights (which might be limited), or purchase new rights 
to render the content. 



Trust 



Trust is used to denote the confidence between entities in the DRM system to correctly specify and produce 
DRM content and rights, and to uphold and enforce the consumption of DRM content according to the rights. 



Usage Rights 



Usage rights describe how DRM content may be used, including permissions (e.g. play, view, execute), 
constraints (e.g. ten times, for one month), etc. 



3.2 Abbreviations 

For the purposes of this document the following abbreviations apply: 

3G Third Generation Mobile Communications Technology 

DRM Digital Rights Management 

EMS Enhanced Messaging Service 

HTTP Hyper Text Transfer Protocol 

MMS Multimedia Messaging Service 

SMS Short Messaging Service 

UE User Equipment 
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4 Digital Rights Management Model 



The following model that describes digital rights management (DRM) is not definitive, and no implementation model or 
architecture is implied or required by it. It is provided, however, to describe the functions and roles that shall be 
provided by the entities involved in providing the DRM solution. 

DRM capabilities are required for content such as, but not limited to, ringtones, games, books, music, and video. The 
purpose of digital rights management is to provide an end-to-end solution, i.e. between a content provider and a UE, 
ensuring that rights associated with content are enforced, thus limiting illegal access. 

The complexity of any DRM solution clearly will have a direct relationship with the value of the content being 
protected; the higher the value of the content, the higher the means which can be justified to protect it. It can be 
expected that 3G terminals will be able to render both "low-value" and "high-value" content. The definition of what 
value to associate with which type of content, however, is a decision to be made by the content provider and is therefore 
out of the scope of standardization. Nevertheless, it shall be ensured that any standardized DRM solution is flexible 
enough to cater for the different values content may have. 

At least the following classes of DRM shall be defined by the DRM specification: 

- DRM Class 1 : "Forward Lock" 

"Forward lock" DRM shall encompass some means for preventing the onward distribution of DRM content. The 
focus shall be on simplicity and ease of deployment rather than on strong security; e.g. it may be assumed that 
the UE provides a trusted environment. Requirements for class 1 DRM are listed in chapters 5, 9 and 10. 

- DRM Class 2: "Comprehensive DRM" 

"Comprehensive DRM" shall encompass strong trust models, strong protection of contents and rights, allowing 
secure distribution and management of DRM content and rights in an open environment. The focus shall be on 
comprehensive rights expression, and comprehensive security models. Requirements for class 2 DRM are listed 
in chapters 6 through 10. 

Digital rights management is not a single entity or functionality. Rather, it involves a number of different components, 
such as: 

Specification of usage rights. 

Usage rights express what a UE may or may not do with DRM content. Rights include permissions (e.g. play, 
view), constraints (e.g. ten times, for one month) and so on. Usage rights are always managed end-to-end - they 
are defined by the rights issuer (on behalf of rights holder) and enforced by the UE. 

Content protection 

A DRM solution should provide some means for protecting content, (e.g. encryption). 

Trust relationships 

A DRM solution should provide some means for ensuring the establishment of a trusted relationship between the 
UE and the content provider. This includes the trust of a content provider or rights issuer put in a UE to uphold 
and enforce usage rights for DRM content, and the trust of a UE put in a content provider or rights issuer that 
DRM content and rights have been correctly and legitimately generated. 

In order to ensure a reasonable pace in the standardization of DRM, existing standards for mobile environment and for 
the individual DRM components should be re-used as far as possible and feasible. Further, to maximize interoperability, 
and to reduce terminal complexity, there should be one standardized solution for a rights description language, one 
solution for content protection and one solution for trust relationships as part of the 3GPP DRM specification. Options 
should be avoided as far as possible. 

On the other hand, it needs to be acknowledged that DRM component solutions will evolve over time, and content 
providers may wish to deploy more advanced solutions in the future, e.g. more advanced and robust cryptographic 
algorithms to protect their content. Therefore, a standardized DRM solution should be extensible. However, such an 
evolution shall occur within a tight standardization process that minimizes the number of parallel solutions existing in 
the market. 
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Distribution of content should be possible over any kind of transport; for example pull from a browser, end-to-end 
secure connections, streaming media, messaging (e.g. MMS, Email), local transfer (e.g. IrDA, Bluetooth), etc. The 
DRM system shall be transport independent to avoid multiple solutions for different transports. 

A high-level model for digital rights management may be described as follows: 

DRM content, and corresponding usage rights, may be distributed from content providers and rights issuers to 
UEs. 

The UE enforces the usage rights, and prevents any unauthorised use of the content. 

If the usage rights allow, content may be distributed or moved, and accessed by the receiving UE if granted the 
rights to do so. The content provider may specify alternative usage rights to be applied to copies (e.g. limited 
'preview' style rights). 

If a user possesses content for which usage rights have expired or for which the user wished to update the usage 
rights, then the user may acquire new usage rights. 



5 Requirements (Class 1 DRM) 

The following minimum requirements apply to class 1 DRM. 

5.1. General Requirements 

1 The DRM specification shall provide a mechanism for preventing onward distribution of DRM content. The 
mechanism may be "simple", e.g. based on a "flag" or "wrapper". 

2 The focus of class 1 DRM shall be on simplicity and ease of deployment rather than on strong security; e.g. it 
may be assumed that the UE provides a trusted environment 

3 The DRM specification shall be delivery and media type independent, i.e., the delivery and specification of class 
1 DRM content must be independent of format and delivery mechanism. 

4 The DRM specification shall be designed as an open specification and re-use existing open standards as 
appropriate. 

5 The DRM specification shall impose minimal signalling and computational load on UEs and on communication 
among entities of the DRM system for all components of the DRM solution. 

6 The DRM specification shall not prevent the content provider from distributing content that is not rights 
protected. 

7 The DRM specifcation shall work reliably in environments where fragment loss (e.g. packet loss or bit errors) 
for content may be encountered (note that rights must be delivered reliably). 

5.2 User Requirements 

1 The user experience shall not be impaired by the DRM specification. 

2 The DRM system shall not prevent a user to access non-DRM content. 

3 The DRM specification shall permit users to be informed about the rights status of DRM content. 

5.3 UE Requirements 

1 The UE shall enforce the forward locking of DRM content. 

2 The DRM specification shall not prevent the user from managing content that is not rights protected. 
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6 High level requirements (Class 2 DRM) 

The following high level requirements apply to class 2 DRM. 

6.1 General Requirements 

1 The DRM specification shall provide a mechanism allowing rights issuers to provide usage rights to a UE, and to 
associate usage rights with DRM content. The mechanism shall allow usage rights to be enforced. 

2 The DRM content and corresponding usage rights may be physically separate, but shall be logically linked to 
each other. 

3 The DRM specification shall allow usage rights and DRM content to be delivered via the same or different 
transport mechanisms. 

4 The DRM system shall enable the clear, concise and unambiguous specification of rights. 

5 Usage rights shall be unambiguously bound to DRM content. 

6 The DRM specification shall be delivery and media type independent, i.e., the delivery and specification of 
DRM content and rights must be independent of format and delivery mechanism. 

7 The DRM specification shall impose minimal signalling and computational load on UEs and on communication 
among entities of the DRM system for all components of the DRM solution, i.e., preparation of content for use in 
the DRM system, specifying, interpreting, and enforcing usage rights, and establishing trust relationships. 

8 The DRM specification shall encompass the specification of the following three components: description of 
rights, content protection and establishment of trust relationship. For each component one concrete mechanism 
shall be specified. 

9 DRM shall be extensible, i.e. allow evolved DRM component solutions to be deployed. This extensibility shall 
occur within a tight standardisation process. Within each version of a DRM specification, if feasible, there shall 
be only one solution specified for each DRM component. 

10 The DRM specification shall not prevent the content provider from distributing content that is not rights 
protected. 

1 1 The DRM specification shall be designed as an open specification and re-use existing open standards as 
appropriate. 

12 The DRM specification shall work reliably in environments where fragment loss (e.g. packet loss or bit errors) 
for content may be encountered (note that rights must be delivered reliably, i.e., error free). 

6.2 User Requirements 

1 The user experience shall not be impaired by the DRM specification. 

2 The DRM system shall not prevent a user to access non-DRM content. 

3 The DRM specification shall permit users to be informed about the rights status of DRM content. 

4 The user shall be able to manage rights independently from DRM content, e.g., he/she shall be able to delete 
content, but to keep the corresponding rights (so that he/she could restore the content on the UE later without 
having to obtain new rights). 

5 If the user change his/her UE, it shall be possible to make the already obtained rights and content available on 
the new UE, if the rights allow it. 

6 For any received content, the user shall have the possibility to request the corresponding rights. 
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6.3 UE Requirements 

1 The UE shall enforce any usage rights associated with DRM content. 

2 The DRM specification shall not prevent the user from managing content that is not rights protected. 

7 Usage Rights (Class 2 DRM) 

The following usage rights requirements apply to class 2 DRM. 

1 The rights issuer shall generate the usage rights. 

2 The usage rights shall provide computationally efficient interpretation and enforcement. 

3 The UE shall obey and enforce the usage rights. 

4 Usage rights shall be stored securely. 

5 The usage rights shall allow the rights issuer to specify different ways of rendering and distributing (if required 
by the architecture) the DRM content (permissions) e.g. display, play, execute, copy, give etc. 

6 The usage rights shall allow the rights issuer to specify different ways of restricting the use of DRM content 
(constraints), e.g. number of times, elapsed time, alternative usage rights for copies, specific UE or group of UEs 
(e.g. all devices owned by a user), specific users, etc. 

7 The usage rights shall allow the rights issuer to specify additional information, for example where the content 
can be acquired, and where usage rights can be obtained or renewed. 

8 Security (Class 2 DRM) 

The following security requirements apply to class 2 DRM. 

1 The DRM solution shall provide a mechanism, allowing content providers to make DRM content intrinsically 
secure and unusable to any UE not being granted corresponding rights to render the content. 

2 The DRM solution shall allow content providers and rights issuers to establish a trust relationship with a UE. 

3 The DRM solution shall enable UEs to establish a trust relationship with content providers and rights issuers. 

4 The DRM system shall protect the integrity of usage rights. 

9 Privacy 

The following privacy requirements apply to class 1 and class 2 DRM. 

1 User information used to create the usage rights shall not be disclosed without the explicit consent of the end 
user. 

2 The user's identity shall not be disclosed to the content provider and/or to other parties without the explicit 
consent of the end user. 

10 Charging 

The following charging requirements apply to class 1 and class 2 DRM 

In DRM the valuable asset is the rights to use the content and not the content itself. Thus, it is expected that charging 
will be handled for the rights and not for the content per se. The need to enable charging based on rights becomes 
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evident when considering that rights to use the content once have a different value than rights to use the content ten 
times, for one week, or forever. The specification of the charging mechanism is out of scope of the DRM solution. 
Nevertheless, the DRM specification shall be able to support several business models. The following business models 
should be considered: 

Charging on a subscription basis. 

Charging on a pay before use (pre-pay) basis. 

Charging on a one-time basis for obtaining rights to DRM content. 

- Charging to receive streamed content. 

The above list is not exhaustive. 
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Annex A (informative); 
Use cases 



The following use cases help to describe the various aspects of the DRM specification and their impact on the 
consumer. Figure 1 depicts a high level view of how DRM fits into the content distribution model. 
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Figure 1 DRM and Content Distribution 

Acquiring usage rights 

When Alice wants to buy a song, she will simply browse a website with the UE and find the song she wants. The 
content provider may allow Alice to preview the available songs. After deciding on a song, she specifies which type of 
payment option she wants for the song. She chooses to buy the song, which gives her the right to play the song 
whenever she wants. 

Content delivery 

Once a song is downloaded, it can be accessed by Alice's UE according to associated usage rights. In either case, the 
new song title will be added to Alice's content list and Alice can play the song on her UE. Memory limitations on a UE 
may force Alice to keep some of her content in some other physical storage device, e.g. a memory card or a network 
store. The UE ensures that DRM content is encrypted before storing it in this way. Alice may be made aware of which 
music is local and which is stored remotely by using a separate listing or special marks on local songs. If Alice knows 
that she wants to listen to certain songs many times, she may want to store these songs locally on the UE. 

Alice and the content provider may employ any of the following means to download content to her UE: 

Downloaded from the server, POS, or kiosk and stored on a UE 

Streaming from the server, POS, or kiosk to one or more UEs 
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- Delivered using SMS, EMS, or MMS 

Delivered over-the-air, via a local connection or personal area network, or using other transport mechanisms 

Content usage 

Alice downloads the content to her UE, but would also like to play it on another DRM -enabled UE that she owns. The 
usage rights may allow her to transfer the song to the other UE and render it, according to the content usage rules. 

While Alice is at work, the battery goes flat on her UE. After recharging her UE, she is able to access content saved in 
non-volatile memory, or backup copies saved on a memory card or in a network store. 

A week later, Alice purchases a new UE. If usage rights allow, Alice may transfer her purchased content and play it on 
her new UE. 

Super distribution 

Depending on a song's usage rights, Alice may have the right to make copies and send them to other people. The copies 
may have another set of usage rights than Alice's original; perhaps only allowing limited access to the content while full 
access can be purchased from the content provider. If Alice's UE is capable of establishing a short-range ad-hoc 
network, transferring contents is made easier, and can rapidly lead to more content distribution and possibly increased 
content sales. 

The samples that Alice distributes may consist of just a 20 or 30 second clip of a main portion of the song. Or, she may 
be allowed to distribute the song with the usage rights only allowing the song to be played one time. After the initial 
play, the user would have to purchase rights from the content provider to play the song again. Other types of sampling 
may also be possible. 

Gifting Rights 

Alice really likes the song and decides she wants to send it to Susan also. Alice contacts the content provider with her 
UE and pays to have content delivered to Susan. Susan receives the song, and is able to listen to it using the rights paid 
for by Alice. Alternatively, Susan may receive a notification that the song has been gifted to her and she can download 
it at her leisure. 

Other Services 

Additionally, other services may be provided within the DRM model. Examples include, but are not limited to: 

Trust services 

Authentication services 

Payment brokers 

Content bank (network storage of downloaded content) 

Rights locker (network storage of usage rights) 

The content provider may run such services itself, or they may be provided as generic services by communication 
service providers. 
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